5.8 Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly

Information

You should review the Mailbox Access by Non-Owners report at least every other week. This report shows which mailboxes have been accessed by someone other than the mailbox owner.

NOTE: This setting is only available in the classic Exchange Admin center.

Rationale:

While there are many legitimate uses of delegate permissions, regularly reviewing that access can help prevent an external attacker from maintaining access for a long time, and can help discover malicious insider activity sooner.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the report, perform the following steps using the Microsoft 365 Admin Center:

Click Exchange.

Click on Classic Exchange admin center.

Click Compliance Management and auditing.

Select Run a non-owner mailbox access report.

Enter Start Date and End Date.

Change Search for access by field to all non-owners.

Select Search.

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: a6e411f17ffeb5cddd6059f00519bafedfe3eb044abae22282ec5059ae408a7d